Zip Slip Flaw Affects Thousands of Open-Source Projects

A known critical vulnerability has been given the moniker Zip Slip this week in an effort to spread awareness of its prevalence: recent analysis shows it to affect multiple open-source ecosystems, including JavaScript, Ruby, .NET and Go – and as a result, thousands of developer projects, including ones from Amazon, Apache, HP, Pivotal and many others.

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. An exploit allows attackers to remotely overwrite archive files with their own content, and from there pivot to achieving remote command execution on the machine.

“An attacker can extract files from a ZIP file to a location outside the destination folder, and when that’s possible, they can overwrite files on the server to use for command execution, remotely,” said Danny Grander, a researcher at Snyk Security responsible for analyzing open-source projects for the flaw, in an interview. “This one is very easy to turn into a code-execution attack, and it’s very prevalent.”

The vulnerability is not new, he added; in fact, it has existed for 20 years as a concept. The difference is that up until now it has been discovered specific to particular projects.

“We decided to look at open-source code in GitHub from the bottom up – and saw hundreds of vulnerable implementations and projects, and some are not yet fixed,” Grander said. “From our perspective we are expecting that attacks could be happening. We decided to offer a consistent description for the vulnerability and a name to underline the significance and bring it to developers’ attention.”

According to the Snyk Security team analysis posted Tuesday, the widespread issue is typically exploited using a specially crafted ZIP file that holds directory traversal filenames (it also works with other archive formats, including tar, jar, war,  cpio, apk, rar and 7z).

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the researchers said in the analysis [PDF]. “The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

To exploit the vulnerability, an attacker can use a specially crafted malicious ZIP/archive file containing one or more files that break out of the target directory when extracted. In a proof-of-concept video, the researchers show a weaponized ZIP drive with two files: a “good.sh” file which would be extracted into the target directory, and an “evil.sh file,” whose job it is to traverse up the directory tree to hit the root, and then add a file into the TMP directory. From there, an attacker can move on to other parts of the network.

Success requires an extraction code for expanding the ZIP file that does not perform validation checking on the file paths in the archive. Thus, when the extraction process reaches the evil.sh file, it will append the full path that points to a specific landing location in the file system, resulting in evil.sh being written outside of the target directory.

Developer projects should search for vulnerable code; the projects that have been already identified as vulnerable (along with available fixes) are listed here.

“There are so many affected projects, and the responsibility flows to the maintainers to fix this,” Grander told Threatpost. “Half have issued a fix, but for the other half, it’s hard for maintainers to address. We actually provided fixes for many libraries and did a big chunk of work to help them get rid of this before going public with our findings.”

The flaw is especially prevalent in Java, where there’s no central library offering high-level processing of ZIP files. This lack of centralization has led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow, Grander said.

“If I don’t provide a core archive-handling library with a proper API that’s not vulnerable, the application is going to be prone to attack,” he told us. “Ecosystems that don’t have a central library with a correct API results developers re-using vulnerable code from various open-source libraries. So from a defense perspective, if you’re a developer using a vulnerable library, you need to upgrade to a new fixed version.”